Hello kkajla,<p>The approach is like the approach we took in what is now a 20 year old web application, we tried to some extent model it on file permissions, and the REST pattern of noun + CRUD verb, but that wasn't always easy.<p>we hit a couple of hurdles along the way:<p>We found that we needed to always evaluate all access based on task and data, you couldn't assess those two separately - this enabled uses such as:
a couple could give each other access to read each other's data, but not sign on each others behalf. but if someone was incapacitated and some one was given power-of-attorney, the POA could sign on a different user's behalf.<p>We tried to control all the permissions via groups, and built a UI to maintain the groups and allocations, but the UI never got the attention it needed<p>We needed be able to freeze out tasks, so we had to build grant and deny permissions, where the deny always overruled the grant.<p>We tried very hard to model all the permissions around a
We made the process of setting up new permission types too difficult, developers just reused existing task permissions, and then none of the permissions really meant what we thought it meant because the code that used certain tasks for the access check, did something very different to the name of the permission.<p>Mostly it's worked fine, it got complex because the needs were complex, and it's now getting ripped out for active directory.